Security issues trip up DHS info-sharing network

Agency may have rushed to complete network under a false deadline

By Michael Arnone

May 23, 2005

The Homeland Security Department's critical Homeland Secure Data Network (HSDN)  one of its backbone networks for sharing critical information  is not only insecure, according to a recent inspector general report, but it was so rushed into operation that it will largely not meet user needs.

HSDN is a much-touted network intended to improve sharing of classified data with 600 law enforcement and intelligence agencies. Richard Skinner, acting inspector general at DHS, said he doubts that the network in its current state "will satisfy users' functional and security needs, and adequately protect classified information."

The report found that the chief information officer's office held few meetings with users and developers to determine what HSDN needed to accomplish. Yet HSDN still missed most of its deadlines, including its scheduled December 2004 implementation date, the report states.

The IG report contains "pretty damning stuff," said Steve Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists. Information sharing is central to the war on terrorism, he said, and "what this report says is that information sharing in the government is still nowhere near where it needs to be."

DHS officials had the impression in March 2004 that the Defense Department would cut DHS' access to DOD's Secret Internet Protocol Router Network (SIPRNET). At that time, Steve Cooper, who recently left the DHS CIO post, accelerated the network's development to finish it in nine months.

The report states, however, that the manager of SIPRNET said DOD had no intention of cutting off DHS' access. Instead, the military intended to gradually phase out services once HSDN was online, according to the IG report.

Skinner and Cooper didn't address the underlying question of why DHS officials would think that DOD would bar DHS from the classified network.

Skinner's office declined to comment. DHS spokesman Larry Orluskie said CIO officials knew all along that DHS was not going to lose access to SIPRNET and that Dec. 31 was merely a target date. The CIO's office worked aggressively to keep its promise to DOD to finish the project on time, Orluskie said, adding that wording in the IG report is imprecise.

The wording of the report  "the CIO's office believed"  is fuzzy compared with the precision usually associated with such reports, Aftergood said. "It raises questions of whether this was going to happen or this was a misunderstanding."

The IG report, combined with DHS' reputation for mismanaging its programs, has homeland security experts baffled and a little skeptical.

"It all sounds kind of screwy," said James Carafano, senior fellow for national security and homeland security at the Heritage Foundation. "If you need to rely on a secure system, you don't rush something into place that isn't secure."

John Pike, director of GlobalSecurity. org, a nonpartisan defense research organization, said the argument that DHS would be yanked off SIPRNET before its own secure network was ready doesn't make sense. DHS would never be arbitrarily barred from the classified information it needs to do its job, he said.

The CIO office's explanation in the report "means that the senior management of this program had a fundamental misunderstanding of a really easy-to-understand concept," Pike said. The explanation given makes sense, he said, only if "these people couldn't manage their way out of a Glad bag."

DHS: It's secure

The Homeland Security Department's acting inspector general, Richard Skinner, reviewed the $337 million Homeland Secure Data Network program between August and November 2004.

DHS spokesman Larry Orluskie said the problems the IG report describes have been fixed and the network has been up and running at 30 sites since April 22.

"We absolutely feel it is secure," he said.

Most of the deficiencies the IG cited relate to measures for protecting the network and its data.